ldap/servers/slapd/back-ldbm/ldbm_config.c | 2 +-
ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
New commits:
commit 0263e0bffdfcb9cf59b7c6ba29f060987d06449a
Author: Rich Megginson <rmeggins(a)redhat.com>
Date: Mon Jul 11 10:08:56 2011 -0600
Bug 720059 - RDN with % can cause crashes or missing entries
https://bugzilla.redhat.com/show_bug.cgi?id=720059
Resolves: bug 720059
Bug Description: RDN with % can cause crashes or missing entries
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: The code was using PR_snprintf to copy the RDN to the
buffer used to store the value in the entryrdn index. If there was
a % in the value, the PR_snprintf was interpreting the next char as a
formatting directive. But since we don't pass any varargs arguments,
the formatting directive was using random garbage on the stack, which
can lead to crashes or missing entries or other undefined behavior.
The fix is to use PL_strncpyz which will just copy the string up to
the correct buffer size and will make sure the string is properly
null terminated.
You can use a simple C program to illustrate this problem:
int
main(int argc, char *argv[])
{
char buf[10];
argv++;
for (; *argv; ++argv) {
PR_snprintf(buf, sizeof(buf), *argv);
printf("buf is [%s]\n", buf);
}
return 0;
}
gcc -o testit testit.c -lnspr4
Then pass in values like %d %100s %100.100s and so on. You will either
get crashes or random output.
Platforms tested: RHEL6 x86_64
Flag Day: no
Doc impact: no
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_config.c
b/ldap/servers/slapd/back-ldbm/ldbm_config.c
index a1b4062..d8f60b2 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_config.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_config.c
@@ -95,7 +95,7 @@ int ldbm_config_add_dse_entries(struct ldbminfo *li, char **entries,
char *strin
util_pb = slapi_pblock_new();
PR_snprintf(entry_string, 512, entries[x], string1, string2, string3);
e = slapi_str2entry(entry_string, 0);
- PR_snprintf(ebuf, sizeof(ebuf), slapi_entry_get_dn_const(e)); /* for logging */
+ PL_strncpyz(ebuf, slapi_entry_get_dn_const(e), sizeof(ebuf)); /* for logging */
slapi_add_entry_internal_set_pb(util_pb, e, NULL, li->li_identity, 0);
slapi_pblock_set(util_pb, SLAPI_DSE_DONT_WRITE_WHEN_ADDING,
&dont_write_file);
diff --git a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
index 6698d83..2f1e648 100644
--- a/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
+++ b/ldap/servers/slapd/back-ldbm/ldbm_entryrdn.c
@@ -1354,8 +1354,8 @@ _entryrdn_new_rdn_elem(backend *be,
id_internal_to_stored(id, re->rdn_elem_id);
sizeushort_internal_to_stored(nrdn_len, re->rdn_elem_nrdn_len);
sizeushort_internal_to_stored(rdn_len, re->rdn_elem_rdn_len);
- PR_snprintf(re->rdn_elem_nrdn_rdn, nrdn_len, nrdn);
- PR_snprintf(RDN_ADDR(re), rdn_len, rdn);
+ PL_strncpyz(re->rdn_elem_nrdn_rdn, nrdn, nrdn_len);
+ PL_strncpyz(RDN_ADDR(re), rdn, rdn_len);
slapi_log_error(SLAPI_LOG_TRACE, ENTRYRDN_TAG,
"<-- _entryrdn_new_rdn_elem\n");